Your SlideShare is downloading. ×

ISO 27001 for SMEs


Published on

How ISO 27001 will help SMEs ? …

How ISO 27001 will help SMEs ?
An magazine by ISO Organization

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. IMSVol. 9, No. 1 January-February 2009 ISO Management Systems When Results Count. ISO Standards. ISSN 1680-8096 • ISO 9000 video • ISO 50001 and energy • Standards and sustainability “ Big D ” becomes “ Green D ” IS O/IEC 2 7001 SMEs ISO 22000 and a million daily meals for Ship registry and ISO 9001
  • 2. © ISO Management Systems, by Roger Frost EDITORIALYou can count on ISO standards The following examples, large and small, cover both management systems and “ other standards ” – and include a striking negative example. • MPEG-2Y ou may have noticed that there is a slogan under the ISO Management Systems title on the cover page of the The MPEG-2 coding standard has facilitated the worldwidemagazine. The slogan reads : “  hen Results Count. ISO W growth of the digital television and DVD industries, includingStandards.” the diffusion of some 3.5 billion DVDGiven our emphasis machines and 40 billionon ISO’s management DVDs. an estimatedsystem standards and market of USD 2.5 trillion.the results they deliverfor users – as reported • Product databy the users themselves exchange– it’s easy to forget thatISO has more than The ISO Standard for17  4 00 “ other ”  Inter- Exchange of Productnational Standards and Data (STEP), whichrelated documents to addresses the exchangeoffer. of digital product information, has beenThe sheer scale of calculated as havingthe implementation the potential to saveof some of them, for USD 928 million a yearexample, the metric by reducing interoper-system, makes it rather ability problems in thedifficult, if not impos- automotive, aerospacesible, to come up with and shipbuilding indus-precise, totally accurate tries on the results theyhelp to achieve. • Freight containersAnother complication is that a number It is estimated that more than 90   of the world %of standards, such as for freight container trade in non-bulk goods is transported indimensions and many information technol- Some standards provide freight containers conforming to ISO specifi-ogy standards, provide benefits not only for spin-off benefits for much cations. Containerization has reduced the timespecific users like the transport and IT of the world’s population and cost of moving goods across the oceans tosectors, but potentially for all sectors. market by 84  % and 35  % respectively.Indeed, it could be argued that some stand-ards like these provide spin-off benefits for • Spacemuch of the world’s population. The failure to adhere to the international metric system ofIt is relatively simple for individual users of ISO manage- measurement (now the ISO 80000 series) cost US taxpayersment system standards to calculate the benefits that they USD 125 million at the end of September 1999 whenbring their organizations. For the reasons given above, it is NASA’s Mars Climate Orbiter was lost in space becauseoften necessary to have recourse to estimations and projec- engineers had failed to make the conversion from Imperialtions to convey an idea of the results delivered by other units to metric, a costly mistake that sent the spacecraftstandards. fatally close to the surface of Mars. ISO Management Systems – January-February 2009  1
  • 3. © ISO Management Systems, EDITORIAL• Oil and gas • CranesA multinational company calculated that if the systematic Maintenance programmes based on International Standardsuse of ISO standards could be expected to save 1  % of of the millions of cranes in use around the world arethe industry’s annual expenditure, then the saving would estimated to save USD 3 billion annually.amount to USD 180 million and represent a return oninvestment of 25 to 1. • Petroleum company Average benefits of ISO 9000 implementation were some• Concrete nine times the costs over the first year.It is estimated that the world trade in concrete is USD13-14 trillion and that implementing ISO standards could • International development bankincrease this by 1-2  % over a decade. With an annual An ISO 14001-based resource conservation programmeproduction of concrete estimated to be 15 billion tons helped save over USD 250  0 00 through electricity, water,and about 1 % of the world’s population having jobs that paper, and solid waste reduction at its HQ from 2003 todirectly relate to the concrete construction industry, the 2006.value of ISO standards impacting the world trade inconcrete, the quality and longevity of concrete and the • City councilenvironmental impact of concrete production is potentially As a result of a combined ISO 9000 and risk managementenormous. programme implemented by a city council, its insurer waived an 8  % increase in its premium. • Counting on ISO standards2  IMS – January-February 2009
  • 4. © ISO Management Systems, CONTENTS VIEWPOINT 23 5 ISO/TC 207 can get even better Dr. Robert Page, the new Chair of ISO/TC 207, Environmental management, writes : “ISO/TC 207 is built on incredible foundations – its institutional strength, global reach and collective will to develop standards that matter. It is against this backdrop that ISO/TC 207 can get even better, to address calls for greater marketIMS 1-2009 E.indd 1 29.12.2008 10:43:29 relevance and more effective tools.” SPECIAL REPORT 6 ISO MANAGEMENT SYSTEMS is published ISO/IEC 27001 for SMEs six times a year Information security management systems for by the Central small and medium-sized enteprises Secretariat of ISO (International Athough many large organizations have been quick to see the benefits of Organization for Standardization) and is available in English, ISO/IEC 27001:2005 – the information security management system standard French and Spanish editions. – many SMEs have been slow adopters because of a lack of basic advice in its implementation. This will change with development of a new ISO Publisher : ISO Central Secretariat, handbook to demystify the process, due for publication in 2009. 1, ch. de la Voie-Creuse, Case postale 56, CH-1211 Geneva 20, ISO INSIDER 10 Switzerland. Tel. + 41 22 749 01 11. ISO publishes new edition of ISO 9001 Fax + 41 22 733 34 30. ISO has published ISO 9001:2008, the latest edition of the International Standard E-mail Web used by organizations in 175 countries as the framework for their quality manage- ment systems (QMS). ISO 9001:2008, Quality management system – Requirements, Editor in Chief : Roger Frost. is the fourth edition of the standard first published in 1987. Contributing Editor : Garry Lambert. ISO launches video clip  : “  he ISO 9000 family – Global management T Artwork : Pascal Krieger and Pierre Granier. standards ” • ISO 50001 – future management system standard for energy • How ISO contributes to a sustainable world • ISO Guide will A one-year subscription (six issues) to ISO MANAGEMENT help reduce environmental impacts of products • Material flow cost SYSTEMS costs 128 Swiss francs. accounting with ISO 14051 Subscription enquiries : Sonia Rosas-Friot, ISO Central Secretariat. INTERNATIONAL 23 19 Tel. + 41 22 749 03 36. Fax + 41 22 749 09 47. The “ Big D ” becomes the “ Green D ” E-mail Dallas is largely known across the globe for being big…  ig money, b Advertising enquiries : big business, and big hair (the hair styles made famous by the Dallas ISO Central Secretariat, TV series)…and is appropriately nicknamed, “  ig D  . However, B ” Case postale 56, CH-1211 Geneva 20, the “  ig D  is now known as “  reen D  as a result of a three-year B ” G ” Switzerland. ISO 14001 implementation and certification programme across all Contact : Régis Brinster. Tel. + 41 22 749 02 44. major city departments, a first in any US municipal organization. E-mail • Isle of Man Ship Registry – anchored to ISO 9001 © ISO, January-February 2009 • ISO 22000 helps India’s Akshaya Patra Foundation feed ISSN 1680-8096 a million needy children daily The views expressed in • Case studies show value of ISO/IEC 27001 conformity ISO MANAGEMENT SYSTEMS are those of the authors. The advertising STANDARDS FOR SERVICES 37 of products, services, events or training courses in this publication • European initiatives for sheltered housing does not imply their approval by ISO. and airport security Cover photo   Montage ISO : NEXT ISSUE 40 ISO Management Systems – January-February 2009  3
  • 5. © ISO Management Systems, VIEWPOINTIt was a great honour for me significant and important institutional strength, globalto accept the nomination as contribution to sustainable reach and collective will tothe Chair of ISO techni- development. Born out of develop standards that mat-cal committee ISO/TC 207, the 1991 Rio Earth Summit, ter. It is against this back-Environmental management. ISO/TC 207 has epitomized drop that ISO/TC 207 canI have had the pleasure to that Summit’s Agenda 21 get even better, to addressknow several past Chairs and its focus on how govern- calls for greater market rel-of this eminent committee, ments, enterprises and non- evance and more effectivesuch as George Connell and by Robert Page governmental organisations tools.Daniel Gagnier, and will could co-operate to achieve ISO/TC 207work to build on their im- sustainable development.portant legacy. While a success against Continuity andIt has been over 20 yearssince Ms. Gro Harlem can get even any measure, ISO/TC 207 and its ISO 14000 family of change should not be viewed asBrundtland  authored Our standards now compete in a competing visionsCommon Future, the semi-nal report of the United Na- better more crowded market-place addressing a myriad of envi-tions Commission on Envi- ronmental and sustainabil- Continuity and changeronment and Development. Dr. Robert Page has succeeded ity issues. should not be viewed asThis report introduced the Mr. Daniel Gagnier as the new competing visions, but asconcept of sustainable de- Chair of ISO/TC 207. Dr. Page isvelopment to the world as Integrative thinking a necessary and powerful currently the TransAlta Professor reality in today’s world.“ d evelopment that meets of Environmental Management New challenges include the In ISO/TC 207, the axiomthe needs of the present and Sustainability, Energy and En- “ f ragmentation ” of environ- “ t hings must change so theywithout compromising the vironmental Systems Group, Insti- mental issues and analysis – can remain the same ” is anability of future generations tute for Sustainable Energy, Envi- which needs to be balanced operating meet their own needs ” . ronment, & Economy, University with integrative thinking of Calgary, Canada, where he is that recognizes inter-rela- Within this context, it is myMs. Bruntland’s report rec- also an Adjunct Professor in the tionships and cause-effect sincere belief that the col-ognized that sustainable Haskayne School of Business. He relationships. lective expertise, ability anddevelopment in practice re- is also the acting Chair of the Go-quired the integration, or a commitment of our stand- vernment of Canada’s National The need for public cred-systems view, of economy, ards experts – from all walks Round Table on the Environment ibility and market relevancesociety and environment. of life and corners of the and the Economy (NRTEE). has never been greater, butIt recognized the needs of world – can and will increase must be balanced against He is known nationally and interna- the “ sustainability footprint ”the world’s poor and the in- the rigour and decentral-herent limitations on what tionally for his work on energy and ized participation inherent of ISO standards. • the environment in areas such asthe Earth’s environment in the ISO process. The role climate change, emissions trading,can support. Organizations of developing countries, and biodiversity and protected spaces,large and small, governmen- their active participation, environmental impact assessment,tal, business or non-govern- in ISO and ISO/TC 207 re- and policy and regulation.mental, have been trying to mains critical not only ouroperationalize the concept Dr. Page has served for the Govern- Contact : ISO/TC 207 Secretary, credibility, but also to find-of sustainable development ment of Canada in international nego- Kevin Boehmer. ing consensus on global en-ever since. tiations on the Conference of the Par- vironmental issues. E-mail ties for the Kyoto Protocol, the NorthSince 1996, ISO/TC 207 American Free Trade negotiations, and ISO/TC 207 is built on in- Web www.tc207.orgstandards have made a trade and the environment. credible foundations – its Web ISO Management Systems – January-February 2009  5
  • 6. © ISO Management Systems, SPECIAL REPORT Information security management systems for small and medium-sized enteprises Although many large organizations have been quick to see the benefits of ISO/IEC 27001:2005 – the information security management system standard – many SMEs have been slow adopters because of a lack of basic advice in its implementation. This will change with development of a new ISO handbook to demystify the process, due for publication by Edward Humphreys in 2009. Visiting Professor Edward Humphreys (FH University of Applied Science, Hagenberg, Upper Austria), is Convenor of ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT security techniques, working group WG 1, Information security management systems. E-mail edwardj7@msn.com6  ISO Management Systems – January-February 2009
  • 7. © ISO Management Systems, SPECIAL REPORTISO/IEC 27001:2005, Infor- IEC 27001 implementation ISO/IEC 27002 Yes Partial No Commentsmation technology – Secu- does not need to be costly or Control Questionsrity techniques – Information resource management systems Step-by-step ISMS implemen-– Requirements, is one of a tation enables the SME to be Do you have software 4 Not all thefamily of information security implemented in your computers able to achieve a basic levelmanagement systems (ISMS) computers to detect, in the busi- of cost-effective protection prevent and recover from ness havestandards (see box) for use by without much effort. And by fol- a malicious code attack this softwareall organizations regardless of (e.g. from a virus attack) ? installed. lowing two to three more steps,size and sector. the organization can achieve a Do all your staff know 4Well over 5  000 organizations fully ISO/IEC 27001-conform- about the dangers of ing ISMS when appropriate to malicious code attack (e.g.have already certified their from a virus attack) andISMS in conformity with ISO/ the business. are they trained in the useIEC 27001, and many more are of the software used to detect, prevent and recoverin process of doing so – testi- Basic protection from such attacks ?mony to its broad applicabilityin helping protect business All organizations need a base- Do you regularly update 4 the software used toassets and information, and the line of security to provide a detect, prevent and recoverreason why the ISMS strandard minimum level of protection. from a malicious codehas become the common infor- For example, virus attacks can attack (e.g. from a virus attack) ?mation security language within threaten any organization,and between many different including SMEs. They shouldtypes of enterprise. have back-up systems in place to protect against information Figure 1 – Example of a typical information security gap analysis.However, while many large loss or destruction, and ensureorganizations have been quick physical protection of person- • protection of personnel data Risk assessmentto see the benefits, many small nel data and equipment. and company medium sized enterprises The objective of a risk assess-(SMEs) are still slow to adopt Implementing a basic level of ment is to identify the risksthe standard because of a lack protection is an appropriate confronting an SME so that anof basic advice on its imple- SMEs are still slow starting point for any SME, appropriate set of informationmentation. to adopt ISO/IEC 27001 beginning with a simple gap security controls can be imple- analysis to identify the protec- mented to reduce those risksHelp will shortly be at hand tion already in place, and what to an acceptable level.following the development of a it lacks. Above is a typical gap ISO/IEC 27002:2005 provides a Yet risk assessment is seennew ISO handbook designed to analysis checklist using the code of practice that describes by many SMEs as a formida-provide much needed guidance controls listed in ISO/IEC the necessary controls for basic ble and time-consuming taskon ISO/IEC 27001 implementa- 27002 (see Figure 1). protection, including  : requiring substantial resources.tion for SMEs from all sectors,due for publication in 2009. This • a policy for high level informa- It does not need to be so. To tion security management ; ISMS policy extend SME information pro-article provides a preview. tection beyond the baseline • user awareness ; An information security policy level requires a risk assessmentTwo approaches statement can be a one-page • antivirus software ; exercise. However, the steps document from senior manage- involved are quite straight-The handbook will offer a • backup ; ment listing policy objectives forward as explained in the“  tep-by-step  or “  ll-at-once  s ” a ” and commitment, displayed in • access controls ; forthcoming ISO handbook.approach to implementation the organization’s premises.depending on the SME • p h y s i c a l p r o t e c t i o n o f This is a simple but effective The baseline controls men-resources available. It explains premises and commercially daily reminder to employees tioned are designed to reducethat, irrespective of the size sensitive paper-based files of the importance of informa- specific risks – such as anti-and nature of the SME , ISO/ and documents ; tion security. virus software to reduce the ISO Management Systems – January-February 2009  7
  • 8. © ISO Management Systems, SPECIAL REPORT risk of a virus attack, back-ups to minimize the risk of data The ISO/IEC 27000 family loss through system failures, physical protection to lower the risk of equipment and The ISO/IEC 2700 family of information security management standards currently comprises four documentation theft. publications : ISO/IEC 27001:2005, Information technology – Security techniques – Information security management systems – Requirements ISO/IEC 27001 implementation does not ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information need to be costly security management ISO/IEC 27005:2008, Information technology – Security techniques – Information security risk management ISO/IEC 27006:2007, Information technology – Security techniques – Requirements for bodies providing Typical vulnerabilities identi- audit and certification of information security management systems fied by risk assessment can include : The principal standard, ISO/IEC 27001:2005, covers all types of organizations (e.g. commercial enterprises, • On-line information theft government agencies, not-for-profit organizations), and specifies the requirements for establishing, imple- and fraud menting, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the organization’s overall business risks. This inclues on-line auction frauds, “ phishing ” (e-mail It specifies requirements for the implementation of security controls customized to the needs of indi- disguised as official bank vidual organizations or parts thereof. communication), “ 4 19 ” scam ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security letters, and numerous other controls that protect information assets and give confidence to interested parties, and is intended to deceptions designed to lure be suitable for several different types of use, including the following : users to part with personal information, bank and credit • use within organizations to formulate security requirements and objectives card details, social security numbers or passwords. • use within organizations as a way to ensure that security risks are cost effectively managed • use within organizations to ensure compliance with laws and regulations • System failures • use within an organization as a process framework for the implementation and management of These can can shut down an controls to ensure that the specific security objectives of an organization are met SME’s IT system and disrupt normal business activity for • definition of new information security management processes days with possibly serious • identification and clarification of existing information security management processes effects on revenue and com- petitiveness. • use by the management of organizations to determine the status of information security manage- ment activities • Software problems • use by the internal and external auditors of organizations to determine the degree of compliance These includes bugs, viruses, with the policies, directives and standards adopted by an organization out of date programs and unauthorised access which • use by organizations to provide relevant information about information security policies, directives, can compromise information standards and procedures to trading partners and other organizations with whom they interact for security. operational or commercial reasons • implementation of business-enabling information security • Misuse of company resources • use by organizations to provide relevant information about information security to customers. These can done by external users or SME staff, whether accidental or intentional, and8  ISO Management Systems – January-February 2009
  • 9. © ISO Management Systems, SPECIAL REPORTcan result in breaches of infor-mation security.• Delayed response to security incidentsImmediate reporting of anypotential security risks shouldbe routine with measures takento correct the problem beforeit can have a negative impacton the organization.The risk assessment should onlyfocus on those areas requiringprotection to avoid unnecessaryexpenditure on informationsecurity solutions covering lessrisky areas of the business.Regardless of the measurestaken, it is impossible to reduceinformation security risks tozero. The SME should imple-ment the necessary controls toreduce the risks to an accept-able residual level withoutoverspending on informationsecurity measures. There is a Maintaining an ISMS the new risks. Regular reviewspoint at which the benefits not only ensure the continuinggained are outweighed by the Implementing the controls set It is impossible to reduce effectiveness of the system, butcost of implementing more and out in ISO/IEC 27001 is an information security risks to can be far more cost effectivemore security. important aspect of protect- zero than more substantial periodic ing information, but just as system upgrades. important is maintaining the The new handbook will day-to-day effectiveness of Better protection Managing its information demystify the ISMS. If the system is not security enables an SME to regularly managed then the In this article, I have high- ISO/IEC 27001 make system improvements investment in security can be lighted some of the advice and upgrades when necessary wasted. given in the forthcoming ISO to protect its investment in handbook. It will also include security. This involves regular checklists, scorecards and case monitoring, and reviewing studies to help SMEs focus on any changes in operations the key aspects of protecting that might affect the level their business information of protection that has been using ISO/IEC 27001 as the implemented. ISMS tool. In essencethe new If changes in business condi- handbook will help to simplify tions are significant enough to and demystify ISO/IEC 27001 increase information security requirements and give SMEs risks, then the SME will have a clearer understanding of to consider changing the set how best to protect their busi- of ISMS controls to counter nesses. • ISO Management Systems – January-February 2009  9
  • 10. © ISO Management Systems, ISO INSIDERISO publishes new edition ISO/TC 176, which is respon- sible for the ISO 9000 fam- Although certification of con- formity to ISO 9001 is notof ISO 9001 ily, unites expertise from 80 participating countries and a requirement of the stand- ard, it is frequently used in 19 international or regional both public and private sec- organizations, plus other tech- tors to increase confidenceby Roger Frost nical committees. The review in the products and services of ISO 9001 resulting in the provided by certified organi- 2008 edition was carried out zations, between partners in by subcommittee SC 2 of ISO/ business-to-business relations, TC 176. in the selection of suppliers in supply chains and in the right to tender for procurement User survey contracts. Up to the end of This review has benefited from December 2007, at least 951   86 4 a number of inputs, including ISO 9001:2000 certificates had the following : a justification been issued in 175 countries study against the criteria of and economies. ISO Guide 72:2001, Guidelines for the justification and devel- opment of management system standards ; feedback from the ISO has also developed ISO/TC 176 interpretations an introduction and support process ; a two-year systematic package review of ISO 9001:2000 within ISO/TC 176 / SC2  ; a worldwide user survey carried out by ISO/ ISO (which does not itselfISO has published ISO 9001: experience of implementing TC 176/SC 2, and further data carry out certification) and2008, the latest edition of the the standard worldwide and from national surveys. the International Accredita-International Standard used by introduces changes intended ISO Secretary-General Alan tion Forum (IAF) have agreedorganizations in 175 countries as to improve consistency with Bryden commented : “ T he on an implementation plan tothe framework for their quality the environmental manage- revised ISO 9001 results from a ensure a smooth transition ofmanagement systems (QMS). ment system standard, ISO structured process giving weight accredited certification to ISO 14001:2$004.ISO 9001:2008, Quality man- to the needs of users and to the 9001:2008. The details of theagement system – Require- All ISO standards – currently likely impacts and benefits of plan are given in a joint com-ments, is the fourth edition of more than 17  400 – are periodi- the revisions. ISO 9001:2008 muniqué by the two organiza-the standard first published in cally reviewed. Several factors is therefore the outcome of a tions which is available on the1987 and which has become the combine to render a standard rigorous examination confirm- ISO Web benchmark for provid- out of date, such as technologi- ing its fitness for use as the ISO 9001:2008, Quality man-ing assurance about the ability cal evolution, new methods and international benchmark for agement system – Requirements,to satisfy quality requirements materials, new quality and safe- quality management. costs 114 Swiss francs and is ty requirements, or questionsand to enhance customer sat- available from ISO national of interpretation and applica- ISO/TC 176/SC 2 has alsoisfaction in supplier-customer member institutes (listed with tion. To take account of such developed an introduction andrelationships. contact details on the ISO Web factors and to ensure that ISO support package of documentsISO 9001:2008 contains no new standards are maintained at the explaining what the differences site and from ISOrequirements compared to the state of the art, ISO has a rule are between ISO 9001:2008 Central Secretariat (sales@iso.2000 edition, which it replaces. requiring them to be periodi- and the year 2000 version, why org). •It provides clarifications to the cally reviewed and a decision and what they mean for users.existing requirements of ISO taken to confirm, withdraw or These documents are available9001:2000 based on eight years’ revise the documents. on the ISO Web site.10  ISO Management Systems – January-February 2009
  • 11. © ISO Management Systems, ISO INSIDER ISO launches video clip : “  he ISO 9000 T The ISO 9000 family is devel- oped and maintained by ISO 50001 – future family – Global management standards“ technical committee ISO/TC management 176, Quality management and quality assurance. system standard by Roger Frost The video concept was created for energy by Communication Services, ISO Central Secretariat (ISO/ by Edwin Pinero and ISO has just launched a video efficiency and effectiveness of CS). Post-production by Com- Jason Knopes clip in which users share their the ISO 9000 approach. munication and Information perspectives of earlier ISO services (ISO/CS) and Taurus ISO Secretary-General Alan Studio (sound). Geneva, Swit- 9001 editions and other stand- Bryden comments  : “  henever W zerland www.taurus-studio. ards in the ISO 9000 family the ISO 9000 family is evoked, com. Production input by True- which has become the global the emphasis is usually on ISO world Communications, Unit- benchmark for qualtiy manage- 9001 certification. This video is ed Kingdom,www.trueworld. ment systems. refreshing because the users The ISO 9000 family – Global emphasize the importance and management standards takes benefits of ISO 9000 aspects The ISO 9000 family – Glo- the form of a fictional televi- such as management commit- bal management standards sion business news report on ment, metrics, customer focus, can be downloaded free of ISO 9000 in which real users continual improvement, knowl- charge from ISO’s Web site. speak from their personal edge transfer, cost savings and It is also available (Eng- experience in the varied con- the eight quality management lish only) in high resolu- texts of multinational industry, principles.” tion on DVD in PAL (ISBN a humanitarian aid organiza- 978-92-67-10485-0) and NTSC tion and a police department, (ISBN 978-92-67-10486-7) which ISO says underlines versions for being shown in the combination of flexibility, Users emphasize the conference settings. The DVD importance and benefits version is also free, although of ISO 9000 aspects postage and handling will be charged. It is available from ISO national member institutes (listed with contact The video includes details on the ISO Web site ISO has identified energy interviews with and from ISO management as one of the ISO 9000 users Central Secretariat (sales@ top five fields 1) meriting the from : the inter- • development and promotion national oil and of International Standards. gas industry ; the Effective energy management Cambodia Trust, is a priority focus because of a humanitarian the significant potential to aid organization save energy and reduce green- with headquar- house gas (GHG) emissions ters in the United worldwide. Kingdom, and the Phoenix Police 18.12.20 08 10 :49:00 1) Priorities also include calculation Department, Ari- methods, biofuels, retrofitting and refurbishing, and buildings as zona, USA. determined by the ISO Council Standing - ISO 90 01_clip.i ndd 1 Committee on Strategies Energy Taskace CD Force in 2007. ISO Management Systems – January-February 2009  11 18.12.2008 10:46:52
  • 12. © ISO Management Systems, ISO INSIDERExisting ISO standards for A pressing need International frameworkquality management systems The future ISO 50001 will estab-(ISO 9000 series) and envi- lish an international frame- The authorsronmental management sys- work for industrial and com-tems (ISO 14000 series) have mercial facilities, or entiresuccessfully stimulated sub- companies, to manage allstantial, continual efficiency aspects of energy, includ-improvements within organi- ing procurement and use.zations around the globe. An The standard will provideenergy management standard organizations and com-is expected to similarly achieve panies with technical andmajor, long-term increases in management strategies toenergy efficiency – 20  % or “  he urgency to reduce T increase energy efficiency,more in industrial facilities 2). GHG emissions, the reality reduce costs, and improve of higher prices from reduced environmental performance. Edwin Pinero Jason Knopes availability of fossil fuels, is Chair of is Secretary of Based on broad applicability ISO 50001 will provide and the need to promote ISO/PC 242. ISO/PC 242. across national economic sec-strategies to increase energy efficiency and the use of tors, the standard could influ- efficiency, reduce costs, renewable energy sources ence up to 60 % of the world’s and improve environmental provide a strong rationale energy demand3). Corporations, It is envisioned that the future for developing this new performance supply chain partnerships, utili- standard will provide organi- standard, building on the most advanced good practices ties, energy service companies, zations and companies with and existing national or and others are expected to use a recognized framework forEarly on, the United Nations regional standards.” ISO 50001 as a tool to reduce integrating energy efficiencyIndustrial Development Organ- energy use and carbon emis- into their management prac-ization (UNIDO) recognized Alan Bryden sions in their own facilities tices. Multi-national organi-industry’s need to mount an ISO Secretary-General (as well as those belonging zations will have access to aeffective response to climate 2003-2008 to their customers or suppli- single, harmonized standardchange and to the proliferation ers) and to benchmark their for implementation across theof national energy manage- achievements. organization with a logical and Discussions between USment standards. consistent methodology for experts and ISO’s US mem- As part of the standard devel-In March 2007, UNIDO hosted identifying and implementing ber, the American National opment process, ISO/PC 242a meeting of experts, includ- energy efficiency improve- Standards Institute (ANSI) led will define relevant terms anding representatives from the ments. The standard will also : to a formal proposal for ISO to develop management systemISO Central Secretariat and establish a committee on this requirements along with pro- • a s s i s t o r g a n i z a t i o n s i nnations that have adopted subject. In February 2008, the viding guidance for use, imple- making better use of theirenergy management standards. ISO Technical Management mentation, measurement, and existing energy-consumingThat meeting led to submission Board (TMB) approved the metrics associated with the assets ;of a UNIDO communication establishment of a new project standard. • offer guidance on bench-to the ISO Central Secretariat committee, ISO/PC 242, Energy To provide compatibility and marking, measuring, doc-requesting that ISO consider management, to develop the integration opportunities with umenting, and reportingundertaking work on an inter- future ISO 50001 management other management systems, it energy intensity improve-national energy management system standard for energy. is anticipated that the standard ments and their projectedstandard. ANSI is serving as the commit- will foster the same manage- impact on reductions in tee Secretariat in partnership ment system principles of con- GHG emissions ;2) McKane, et al, 2007 in UNIDO with ISO’s national member tinual improvement and usepublication, Policies for Promoting for Brazil, Associação Bra- the Plan-Do-Check-Act cycle 3) International Energy AgencyIndustrial Energy Efficiency in International Energy Outlook 2007,Developing Countries and Transition sileira de Normas Técnicas employed in ISO 9001 and industrial and commercial world energyEconomies, V.08-52434-April 2008. (ABNT). ISO 14001. use12  ISO Management Systems – January-February 2009
  • 13. © ISO Management Systems, ISO INSIDER• create transparency and facilitate communication on country’s national mirror com- mittee which will coordinate How ISO contributes the management of energy the country’s participation to a sustainable world resources ; in developing the standard. Contact information for ISO• promote energy manage- by Roger Frost members in each country is ment best practice and rein- available on ISO’s Web site force good energy manage- ment behaviour ; Countries wishing to actively ISO has just published a new The brochure is entitled How• assist facilities in evaluating participate and send repre- brochure providing a concise ISO’s technical programme and and prioritizing the imple- sentatives to ISO/PC 242 meet- overview of how ISO’s techni- standards contribute to a sus- mentation of new energy- ings should confirm their par- cal programme, which has so tainable world. It explains how efficient technologies ; ticipation status with the ISO far produced more than 17 400 International Standards of the• provide a framework for Central Secretariat (contact International Standards, contrib- type developed by ISO, based promoting energy efficien- Trevor Vyze – ute to a sustainable world. on a double level of consen- cy throughout the supply and should also inform the sus, between stakeholders and chain ; ISO – a multi-sector, multi-stake- ISO/PC 242 Secretary, Jason between countries, contribute to holder international organization• facilitate energy manage- Knopes, of ANSI (JKnopes@ the three dimensions of sustain- – is the leader for the production ment improvements in the and Co-Secretary able development – economic, of consensus-based International context of GHG emission Felipe Viera, of ABNT, (Felipe. environmental and social. They : Standards. ISO’s membership reduction projects. • comprises the national standards • support the facilitation ofThe first meeting of ISO/PC bodies of 157 countries. This net- global trade, the dissemina-242 was held on 8-10 Septem- work is complemented by more tion of new technologies,ber 2008 near Washington D.C. than 600 international and good business practices andThe meeting was attended by regional partners and the partici- the relations between eco-more than 80 delegates from 25 pation of close to 100 000 experts. nomic actors ;ISO national member bodiesfrom all regions of the world,as well as representation fromUNIDO, which has liaisonstatus with ISO/PC 242.Excellent progress was made inthe technical discussions and afirst working draft has alreadybeen circulated for comment. Amajor point of discussion is theneed to ensure compatibilitywith the existing suite of ISOmanagement system standards.The committee therefore tookthe key decision to base thedraft on the common elementsfound in all of ISO’s manage-ment system standards. The2nd ISO/PC 242 meeting willtake place in Rio de Janeiro,Brazil in March 2009.Energy leaders are encour-aged to participate in their Brochure_sustainable_world.indd C1 29.09.2008 17:26:03 ISO Management Systems – January-February 2009  13
  • 14. © ISO Management Systems, ISO INSIDER ISO Guide will help reduce environmental impacts of products 7:06 08 17:2 by Sandrine Tranchard, 29.09.20 able_wo rld.indd 9 Communication Officer, ISO Central Secretariat _sustain BrochureBrochure _sustaina ble_world .indd 2 ISO has published an up- This Guide is intended for 29.09.20 08 17:2 6:26 dated edition of its guide to use by all those involved in Brochure_sustainable_world.indd 6 29.09.2008 17:26:40 reducing the potential envi- the drafting of product stand- ronmental impact of products ards. Standards writers are • support good environmental tees developing standards for by taking environmental as- not expected to become en- practice and information, energy, food, water, the environ- pects into account in product vironmental experts but, by energy efficiency and the ment, health, fire safety, building, standards. using this Guide, they are en- dissemination of new, eco- transport, nanotechnologies, couraged to : friendly and energy per- social responsibility and people Every product has an impact formance technologies ; with disabilities. on the environment during all • identify and understand stages of its life-cycle, from basic environmental aspects • contribute to consumer It also describes how ISO’s extraction of resources to and impacts related to the protection, safety at work, standardization work benefits end-of-life treatment and the product under considera- healthcare, security and from strategic management and need to reduce the potential tion ; and other social interests which policy inputs that also contribute adverse impacts on the envi- may require technical or to sustainability. These inputs • determine when it is pos- ronment of a product is rec- management standards for come from the TMB and ISO sible and when it is not ognized around the world. the related products and policy development committees possible to deal with an services. for consumer affairs, develop- The newly published ISO environmental issue through ing countries and conformity Guide 64:2008, Guide for a product standard. ISO Secretary-General Alan assessment. addressing environmental is- Bryden commented  : “While sues in product standards, is However, the identification of the content of the majority of How ISO’s technical pro- a practical tool for address- these aspects and the pre- ISO standards is technical, their gramme and standards contrib- ing these issues, as well as diction of their impacts is a implementation goes beyond ute to a sustainable world, 20 a contribution to sustainable complex process. When writ- solving technical problems to pages, A5 landscape format, international trade. ing a product standard, it is delivering positive results in is available in English (ISBN economic, environmental and 978-92-67-10484-3) and French societal spheres.” (ISBN 978-92-67-20484-0) edi- tions, free of charge, from ISO Survey national member institutes (list- ed with contact details on the The new brochure is based on ISO Web site and a survey launched in 2007 by from ISO Central Secretariat the ISO Technical Management ( It can also be Board (TMB) of the technical downloaded as a PDF file from committees that development the ISO Web site. • ISO standards.  They were asked how they felt their standards contributed to sustainable development. The brochure gives a selection of examples provided by commit- 14  ISO Management Systems – January-February 2009
  • 15. © ISO Management Systems, ISO INSIDERimportant to ensure that anevaluation as to how products potential adverse environ- mental impacts at different Material flow cost accountingcan affect the environment at stages of the entire product with ISO 14051different stages of their life- life-cycle ;cycle is carried out as early • emphasize that taking intoas possible in the process of by Katsuhiko Kokubu, Marcelo Kos Silveira Campos, Yoshikuni account environmentaldeveloping the standard. Furukawa, and Hiroshi Tachikawa issues in product standards is a complex process andStep-by-step requires balancing compet- ing priorities ;ISO Guide 64:2008 proposes astep-by-step approach, based • recommend the use of life-on the principle of life-cycle cycle analysis when defininganalysis, in order to promote environmental provisionsa reduction of potential ad- for a product for which averse environmental impacts standard is being drafted ;caused by products. andThe implementation of ISO • to promote the future devel-Guide 64:2008 will help to opment of relevant sectormake standards writers aware guides for addressing envi-of how it is possible to make ronmental issues in prod-an effective contribution to uct standards by standardsenvironmental improvement writers, consistent with thethrough a product standard, principles and approachesand how to reduce potential of this Guide.adverse environmental im-pacts of products. Taking into accountThrough a helpful tool (the environmental issuesenvironmental checklist), the in product standardswriter of product standards is complexcan assess the relevant prod-uct environmental aspects,based on the availability of ISO Guide 64: 2008, Guideenvironmental information, for addressing environmentalproduct and environmental issues in product standards,knowledge and the applica- was developed by the Work-tion of life-cycle analysis. Material flow cost account- ment, is currently working on ing Group, Inclusion of envi- ing (MFCA), an environmen- the development of ISO 14051,Primarily intended for prod- ronmental aspects in product tal management accounting Environmental management –uct standards writers, the ob- standards, ISO/TC 207, En- developed in Germany in the Material flow cost accountingjectives of ISO Guide 64:2008 vironmental management. It late 1990s and since adopted – General framework, targetedare to : costs 132 Swiss francs and is widely in Japan, focuses on trac- for publication early in 2011. available from ISO national• outline the relationship ing waste, emissions and non- member institutes (listed with ISO 14051 will be complemen- between the provisions in products, and can help boost an contact details on the ISO tary to the ISO 14000 fam- product standards and the organization’s economic and Web site and ily of environmental manage- environmental aspects and environmental performance. from ISO Central Secretariat ment system standards (EMS), impacts of the product ; ( • To standardize MFCA practices, including life cycle assessment• assist in drafting or revis- working group (WG) 8 of ISO (ISO 14040, ISO 14044), envi- ing provisions in product technical committee ISO/TC ronmental performance evalu- standards in order to reduce 207, Environmental manage- ation (ISO 14031), and the ISO Management Systems – January-February 2009  15
  • 16. © ISO Management Systems, ISO INSIDERgreenhouse gas management issue. In response, manufactur- The original concept of MFCA MFCA explainedstandards (ISO 14064-1-3, ISO ers and other businesses are was developed in Germany by MFCA is a management infor-14065). under pressure to increase Professor Bernd Wagner and mation system that traces all productivity while reducing colleagues at IMU (Institute fürIn this article, the basic concept input materials flowing through environmental impact. Management und Umwelt) inand application of MFCA, and production processes, and Augsburg, Germany, and intro-development of the new Interna- MFCA can help organizations measures output in finished duced in Japan around 2000.tional Standard are explained. to achieve such objectives by products and waste. identifying emissions and waste Many Japanese companies have For example, where 100 kg of within a process in cost and since adopted MFCA, support-A vital social issue physical terms. Such precise ed by the Japanese Ministry of materials is input into a pro- duction process and 70 kg ofClimate change, environmen- data can motivate managers Economy, Trade and Industry. finished products is obtained,tal legislation, and the global to enhance material produc- In 2008, the Japanese Industrial 30 kg of waste has also beeneconomy are in the headlines tivity and significantly reduce Standards Committee (JISC) produced. An equivalent costmore than ever, highlighting the waste far more effectively than submitted an MFCA proposal evaluation of the finished prod-fact that effective management relying only on conventional to ISO/TC 207, resulting in uct and waste can then beof environmental and economic production and cost accounting the creation of a new working made.affairs has become a vital social information. group, WG 8, in March 2008, to develop ISO 14051. The authors INPUT OUTPUT Manufacturing Positive process (finished) products OUTPUT Negative Equivalent products cost (material loss) evaluation Katsuhiko Kokubu Marcelo Kos Silveira Yoshikuni Furukawa is is Convenor of ISO/ Campos is Co-convenor Secretary of ISO/TC TC 207/WG 8 and of ISO/TC 207/WG 8 207/WG 8 and General Professor, Graduate and Director, Indus- Manager, Sustainable School of Business trial Affairs, Brazilian Management, Govern- Figure 1 – The concept of material flow cost accounting. Administration, Kobe Chemical Industry ment Relations University. Association. Department, Nitto Denko Corporation. E-mail E-mail In MFCA, finished products marcelo@abiquim. E-mail MFCA can boost and waste are respectively yoshikuni_furukawa@ economic and termed positive and negative environmental products. The essential point of Hiroshi Tachikawa is Assistant Secretary of performance MFCA is to recognize waste as ISO/TC 207/WG 8 and Managing Director, Propharm non-marketable (second) prod- Japan Co. Ltd. ucts in the sense that materials are consumed and manufac- E-mail turing facilities are used (see Figure 1).16  ISO Management Systems – January-February 2009
  • 17. © ISO Management Systems, ISO INSIDER Inputs Flow Raw materials  : to Process Finished products 1   00g 0 finished products MFCA in action company significantly increased USD 1   00 0 Raw materials  : Raw materials  the ratio of positive versus nega- 1   00g USD 1   00 0 0 700g USD 1   00 0 MFCA can provide internal and tive products during the period Process cost  : Process cost  USD 800 : Process cost USD 800 external benefits, enabling an 2001 to 2004, using MFCA. USD 800 Total 700g USD 1   00 8 organization to make a greater MFCA can also bring exter- profit with less environmen- Flow to emission nal environmental benefits tal impact. A typical internal by enabling organizations to benefit is the strengthening of Emission (waste) manufacture the same amount an organization’s competitive- of finished product with less Raw materials  ness, since MFCA delivers both 300g input. As a result, they can increased profits and material Process cost reduce environmental impacts productivity. Total 300g such as CO2 emissions and con- A good example of how MFCA sumption of natural resources,Figure 2 – An example of conventional cost accounting. enabled a company to improve as exemplified in the case of productivity is shown in a case the Sanden Corporation, a study of Nitto Denko, a major Japanese manufacturer and Japanese manufacturer of chem- supplier of automotive, com- Inputs Flow ical, electronic and healthcare mercial cooling and heating Raw materials  : to Process Positive products products (see Figure 4). The products (see Figure 5). 1   00g 0 positive USD 1   00 0 products Raw materials  : Raw materials  1   00g USD 1   00 0 0 700g USD 700 2001 2004 2009 (Target) Process cost  : Process cost  USD 800 : Process cost USD 560 USD 800 Positive products (ratio) 68   % 78   % 90   % Total 700g USD 1   60 2 Negative products (ratio) 32   % 22   % 10   % Flow to negative products Total (ratio) 100   % 100   % 100   % Negative products Figure 4 – Improvement in material productivity at Nitto Denko through MFCA. Raw materials  Current Target Amount of Rate of 300g USD 300 Process cost USD 240 amount amount reduction reduction Total 300g USD 540 Input Materials 119t 109t 10t -8   % Emissions (waste) 41t 31t 10t -24  % NegativeFigure 3 – An example of material flow cost accounting. products CO2 emissions 1,234t- CO2 1,151t- CO2 83t- CO2 -7   %MFCA calculations differ from included in the cost of output Figure 5 – Reduction in CO2 emissions at Sanden Corporation through MFCA.conventional cost accounting, as (finished products).illustrated in Figures 2 and 3. In However, in MFCA, waste isthe examples, each production considered to be another prod-process yields a single product Benefits of MFCA uct (negative product), andfrom 1   00 g of material at a cost 0 hence has cost allocated to itof USD 1  000, plus the process- based on certain criteria, whiching cost at USD 800. The costs Internal benefits External benefits in example Figure 3 is weight.are calculated using convention- Therefore, the cost of the waste,al cost accounting in Figure 2 • Increasing profit • Reducing environmental as a negative product of 300 g, • Improving productivity impactsand MFCA in Figure 3. is calculated as USD 540. ThisEven if waste is visible in the is a new information generatedfactory, the cost of that waste is by MFCA that provides anusually ignored in convention- incentive to management to Contributing to sustainable developmental cost accounting, as shown. reduce that cost, achievable byThis amount is automatically reducing waste. Figure 6 – Benefits of MFCA. ISO Management Systems – January-February 2009  17
  • 18. © ISO Management Systems, ISO INSIDERBy applying MFCA to its calculator are often sufficient is expected to benefit a wide Concerning EPE – the PDCAm a n u f a c t u r i n g p r o c e s s e s, – an advantage for small and range of industries. continual improvement proc-Sanden found it could reduce medium-sized enterprises. ess – ISO 14031 in principle ISO 14051 can be consideredthe amount of input materi- sets the outline necessary to as a standard for sustainableals and CO 2 emissions, and monitor material flows within Standardizing MFCA development. However, imple-thus contribute to sustainable organizations, but does not mentation of the cost account-development. ISO/TC 207/WG 8 is currently relate this information to finan- ing method is not within its progressing from working draft cial information systems andBalancing environmental and scope at this stage, nor is it to committee draft stage in the business decisions regardingeconomic factors are vital issues intended for the purpose of development of ISO 14051, costs and the setting of prod-confronting many organizations third-party certification. Environmental management uct prices. However, MFCAwishing to achieve sustainable – Material flow cost account- provides this link.development. MFCA can be of Integration with ing – General framework. Thegreat assistance in this endeav- ISO 14000 International Standard willour. It has become recognized comprise : MFCA can be integrated into MFCA can provideas a valuable management toolbecause it links the environ- 1. Scope the ISO 14000 family of EMS significant informationment to economics, as shown in standards and is complemen- to an organization 2. Normative referenceFigure 6 (preceding page). tary to life cycle assessment 3. Terms and Definitions (LCA), environmental per-MFCA offers the potential formance evaluation (EPE) 4. Objectives of MFCA In addition, the assessment offor : and greenhouse gas manage- CO 2 emissions in many sec-• increased production effi- 5. Framework and Elements ment standards. tors is based on the evalua- ciency through capital invest- of MFCA tion of the material input of With regard to EMS inte- ment, based on appropriate 6. Approach for MFCA energy carriers, which need gration, MFCA can provide and accurate evaluation of to be thoroughly registered in significant information to an investment projects  ; Annex : Calculation Methods organization in the Plan-Do- technical as well as monetary and Case Studies• cost reduction through Check-Act (PDCA) cycle. LCA information systems. MFCA, changes in product design While the objective of ISO generally regards the lifecycle again, provides this link. and raw materials based on 14051 is to standardize the of a product and service as precise evaluation of manu- general principles and frame- a system, and analyses the ISO/TC 207/WG 8 facturing cost  ; work of MFCA, it does not environmental influence in the proceedings• revitalizing on-site improve- cover detailed procedures for lifecycle but does not currently ISO/TC 207/WG 8 has already ment activities (e.g. environ- accounting calculation but include economic aspects of an held workshops and meetings mental and quality manage- rather the steps required to organization. MFCA supports twice, first in Bogota, Colom- ment systems) by providing introduce MFCA, and as such this point. bia, in June 2008 and second in specific targets  ; Tokyo, Japan, in November 2008.• possible extension to the A Committee Draft is planned supply chain and social cost to be circulated in March 2009. management  ; • MFCA focuses on emissions (waste) Currently some 42 experts from 24 countries are participating in• applicability to any organi- • Profit is hidden in emissions (waste) the development of the stand- zation, regardless of type, • MFCA finds out the hidden profit ard, with publication expected size, activity and location, in 2011. • and in developing as well as developed countries.MFCA implementation neednot involve advanced compu-ter-based information data-bases since simple spreadsheetcalculations and the use of a Figure 7 – Spotlighting the benefits of MFCA.18  ISO Management Systems – January-February 2009
  • 19. © ISO Management Systems, INTERNATIONAL The “ Big D” becomes the “ Green D” Dallas is largely known across the globe for being big…big money, big business, and big hair (the hair styles made famous by the Dallas TV series)…and is appropriately nicknamed, “Big D”. However, the “Big D” is now known as “Green D” as a result of a three-year ISO 14001 imple- mentation and certification programme across all major city depart-by Laura W. Fiffick ments, a first in any US municipal organization. Dallas skyline, Texas. ISO Management Systems – January-February 2009  19
  • 20. © ISO Management Systems, INTERNATIONALWith more than 1.2 million assistance of OEQ, to imple-residents covering 384.7 square ment an EMS based on ISOmiles, Dallas is the ninth larg- 14001 across all departmentsest city in the US. The city is in with operations affecting thethe heart of the fourth largest environment.metroplex in the US, and oneof the fastest growing areas in It was also decided the systemthe nation. would be certified in order to ensure the EMS was imple- City Hall, Dallas, Texas.Municipal activities involve mented according to the stand-some 13  0 00 employees and ard and to have an unbiased EMS implementation Health Services (EHS) Depart-a vast number of operations third party auditor conduct the ment to start working on theranging from Love Field Air- The City began its consid- certification. City’s EMS. Initially, otherport and the Dallas Convention eration of an environmental priorities in the department andCenter, to the McCommas Bluff management system (EMS) as the City took precedent, andLandfill and two wastewater far back as 2002. Assistant City the EMS made little progresstreatment plants. In charge is Manager, Jill Jordan, decided other than creating a few drafta City Manager, with 14 coun- that Dallas needed an EMS to documents.cil members serving two-year manage its many sustainabilityterms and a Mayor serving a programmes ranging from the However, in December 2003,four-year term. purchase of natural gas vehicles following negative media reports regarding its environ- mental practices, the City of Dallas received a notice of enforcement (NOE) for envi- ronmental compliance practices at its service centre facilities. These facilities house a variety of operations relating to build- ing, park, street, and vehicle maintenance. The NOE pri- Educating school children about the marily focused on storm water importance of storm water protection and US Resource Conservation at the annual Earthfest celebration and Recovery Act (RCRA) in downtown Dallas. concerns. The departments included were The City sprang into action and as follows: Streets, Park and created the Office of Environ- Recreation, Equipment and mental Quality (OEQ) with 10 Building Services, Aviation, staff members reporting to the Sanitation, Police, Fire, Con- City Manager’s Office. OEQ vention and Event Services,The Office of Environmental Quality conducts an ISO 14001 audit at was staffed with environmental Public Works and Transporta-a City facility. professionals with experience tion, Code Compliance, and to the construction of green ranging from EMS implemen- Dallas Water Utilities. Three buildings. tation to air quality consulting other facilities were included as and waste management. a result of the NOE (Marshal’s Each department After attending a conference Office, Building Inspection, and for cities on EMS sponsored by While the NOE was being was given two years for the Radio Shop). the Texas Municipal League, negotiated only for the service EMS implementation Ms. Jordan created a posi- centre facilities, the City Man- Each department was given tion within the Environmental ager’s Office decided, with the two years – by April 2007 – to20  ISO Management Systems – January-February 2009
  • 21. © ISO Management Systems, INTERNATIONALcomplete implementation of hour over the three years ofthe EMS. An environmental the EMS implementation andmanagement representative certification process. OEQ(EMR) was assigned in each was originally staffed with 10of these departments to imple- positions; however over thement the EMS. OEQ developed implementation of the EMSthe schedule and deliverables, and associated successes, OEQas well as provided the train- now has 22 members. Of theseing and coaching necessary to 22 staff members, four are dedi-implement the EMS. Frequent cated full time to the EMS.updates were given to the CityManager’s Office and each Benefitsdepartment Director on theprogress. The primary benefit achieved as a result of the EMS is envi-The EMS was divided into 10 ronmental compliance acrosselements for implementation: A training discussion on environmental aspects and impacts during City the City of Dallas. Depart- operations. ments now have the tools theypre-planning, policy, aspects,legal, objectives and targets, different departments. Each will move to an annual surveil- need to assess and comply withtraining, documents, EMS audit team included at a mini- lance audit schedule. environmental legal require-auditing, corrective action, and mum one auditor from the cer- review. OEQ and tification body, the department’s Resourcesthe EMRs met each month for EMR, and one member of hour and every six months Some EMRs included one or Initially, each departmentalfor one day. more members of their EMS EMR was directed to dedicate core team on the audit team. 50 % of their time to implemen-Each meeting included training tation of the EMS. However,as well as discussion and feed- some larger departments, suchback on the EMS. Problems as Dallas Water Utilities, endedwere discussed, and informa- up with a full time EMR as welltion was shared among all as an additional assistant staffEMRs. member. Turning compost material at Dallas Zoo for use in exhibits. Many of the departments divid-Certification These tools include regulatory ed EMR responsibilities amongThe City of Dallas’ EMS was two or three staff members. notifications, ongoing training, Inspection of spill materials at a City environmental documentationcertified across 11 departments, Additionally, each department fuelling facility. systems, compliance auditing,plus three additional facilities, developed a cross-functionalencompassing some 11  000 of EMS core team. and monitoring of correctivethe City’s 13  0 00 employees Nonconformities received were action. OEQ conducts overand 450 facilities. first addressed by the individual These core teams met at least 100 compliance audits per year department, and then reviewed once a month for at least one and reports the results to CityStage I of the ISO 14001 cer- by OEQ to determine if it was Management.tification audit was conducted a system-wide issue. After allin only one day; however Stage nonconformities were closed, As of the writing of this article,II lasted approximately seven the certification was received no notices of violation haveweeks and included an average in June 2008. been received by the City ofof three separate audit teams Dallas (11 notices of viola-working simultaneously. The City of Dallas will have tion were received by the City semi-annual follow-up surveil- of Dallas in the first year ofIn one week, there were seven lance audits for the first year Introduction of the“Earth Day Every- EMS implementation), andaudit teams working across six following certification, and then day” EMS logo to City employees. each facility with a compliance ISO Management Systems – January-February 2009  21
  • 22. © ISO Management Systems, INTERNATIONALaudit averages two minor non- A third benefit is increased the parts clean. Not only didconformities per audit. These communication on environ- the water-based parts washernonconformities identified are mental issues across the EMS eliminate the use of hazardousgenerally minor paperwork Departments. Before imple- chemicals, but it also allowedissues or are related to drum menting the EMS, even if him to conduct other taskslabelling. departments had an environ- while the parts were being mental representative, there cleaned.This achievement is not only was no discussion or sharingimportant for the financial and of information between benefits, but if a City is Now, each department has an Lessons learnedgoing to ask its residents and EMR that meets regularly with While the City received manybusinesses to exceed environ- other EMRs to discuss not only unexpected environmentalmental requirements through the EMS, but also ongoing envi- benefits of the EMS, there werewater and waste programmes, ronmental projects. This has not also unexpected obstacles. Onethen the City should be doing only led to enhanced efficiency of these obstacles included staff The City’s green fleet includes a totalit as well. and cost savings to the City, but turnover in both OEQ and with of 2,006 alternative fuel vehicles also to improved environmen- the EMRs. One department –175 of those are hybrid (electric and tal and safety practices. had five different EMRs before gasoline). certification and has already Fo r e x a m p l e, d u r i n g o n e had an additional change post- meeting on washing parts by the EMS implementation due certification. maintenance staff, a mechanic to the lack of understanding from Equipment and Building of environmental regulations The departments with even one Services discussed a new water- and EMS terminology, as well change in the EMR had difficul- based parts washer that steams as due to some desire to change ty keeping up with the pace of the components of the EMSMonitoring stormwater treatment that were already in place.devices at the Dallas Police Auto The City of Dallas is using “waterImpound. wise” landscaping techniques at many of its facilities to conserveThe second benefit achieved The City of Dallas water. These techniques include thehas been improved environ- was certified across use of native Texas and droughtmental quality. These improve- tolerant plants and flowers. 11 departmentsments have been achievedin the form of reduced wateruse (1  % reduction per year), Another lesson learned wasenergy conservation (5  % varying levels of commitmentreduction per year), renew- across City facilities. While aable energy purchase (40  % of Department Director may betotal enegy purchase per year), very engaged in the overalland increased recycling rates in implementation of the EMS,City departments. OEQ had some difficulty assessing if the entire depart-Additionally, many new envi- ment, including all facilities,ronmental initiatives are on were on track.the horizon. For example, theStreets Department is now In a few cases, facility manag-recycling trash collected over- ers were not engaged in thenight from downtown Dallas EMS and had not implementedstreets, and the Fire Depart- all components as scheduled.ment is recycling used cooking This would only be discoveredoil from its fire stations. during a conversation with the22  ISO Management Systems – January-February 2009
  • 23. © ISO Management Systems, INTERNATIONAL The authorfacility manager or an EMS or Future planscompliance audit. Laura W. Fiffick is like to acknowl- a Senior Environ- edge the assist- With the success of the ISOA third difficulty was the mental Scientist ance of Frank 14001 programme at the Cityactual certification process working with Gre- Camp at the City of Dallas, the City Managerwith the third party registrar. sham, Smith and of Dallas in and City Council have decidedUnderstanding the differences Partners, a plan- preparing this to also implement ISO 9001between operations of a munic- ning, engineering, article. (quality management) as wellipality as compared to those of architecture and as OHSAS 18000 (health anda typical industrial facility was interior design firm in Dallas, The author would like to safety management) acrossa large hurdle for the registrar Texas. She was the Director of acknowledge the assistance in City departments. These pro-to overcome. the Office of Enviornmental preparing this article of Frank grammes will be implemented Quality at the City of Dallas Camp, Senior Environmental Coor- in departments one-by-one, when the City’s environmental dinator, Office of Environmental instead of across all depart- management system was im- Quality, City of Dallas. ments at the same time. One benefit is increased plemented. Laura Fiffick would communication on E-mail To date, the Streets Department E-mail environmental issues has received ISO 9001:2000 Web http Web certification. Ultimately, the requirements of the three standards (quality, EMS andIn addition, communication Additionally, the nonconformi- for evaluation of compliance health and safety) will be inte-between the various audit ties identified in the field by and contractor requirements. grated across City Depart-teams working simultaneously auditors were not consistently While the City of Dallas had ments. •was difficult. Municipal opera- communicated during the vari- documented its interpreta-tions are not affected by envi- ous closing meetings either to tion of the ISO standard andronmental legal requirements OEQ or to the registrar’s lead associated requirements, notin some instances in the same auditor. all of the auditors had reviewedway as industrial facilities. this documentation, and many “Big Blue” refuse containers used inThis caused some confusion Two specific areas of con- of the auditors had their own a single stream recycling programmeand disagreement during the cern were the requirements separate interpretation. implemented by the CIty of Dallasregistration audit. in the ISO 14001 standard for the residential sector. ISO Management Systems – January-February 2009  23
  • 24. © ISO Management Systems, INTERNATIONAL Isle of Man Ship Registry – anchored to ISO 9001 Certified to ISO 9001 since 1996, it was the arrival of ISO 9001:  2000 that really turned the Isle of Man Ship Registry into a “ fan ”, explaining  : “ ISO 9001 works because of its common sense approach and its eight core qual- ity principals are clearly obvious steps for any business to pursue whether they are seeking certification or not.” by Ray Ferguson Ray Ferguson is Quality Manager with the Isle of Man Ship Registry. E-mail Website The Isle of Man ensign. The Isle of Man, situated in It boasts some of the worlds As part of the Manx (Isle of Man) the Irish Sea midway between most highly respected shipping Government attached to the England and Ireland, registered companies such as BP, Maersk Department of Trade and Indus- its first ships over two centuries and Shell amongst its clients. try, our business involves the ago and has been operating About 90  of the world’s trade % registration of ships and yachts, a modern International Ship by volume is sea borne and ship- the technical regulation and juris- Registry since 1984. ping remains one of the most diction for those vessels on the economical forms of transpor- register and the development of tation. merchant shipping legislation.24  ISO Management Systems – January-February 2009
  • 25. © ISO Management Systems, INTERNATIONALWith a dedicated team of only32 employees, we service acurrent fleet of over 440 shipswith a combined tonnage ofaround 9.4 million gross tons.In addition, we have an orderbook with a further 72 shipsand 57 yachts (including “  uper syachts ” ) under constructionthat are due for delivery underthe Isle of Man flag in the next2-3 years. ISO 9004:2000 offers many helpful ways to grow beyond customer expectations Registry surveyors carry out vessel surveys and audits for complianceOur surveyors carry out vessel with national and internationalsurveys and audits for compli- maritime codes.ance with national and interna-tional maritime codes visiting Inspections are carried out to fit inships at ports around the world, with vessels’ schedules to ensurefitting in as much as possible minimum disruption to any portsidewith the vessels’ schedules to activities.ensure minimum disruptionto any portside activities andoperations that may be tak-ing place.Shipping company offices arealso visited and their internalmanagement systems auditedon a regular basis to ensurecompliance with the inter- mount – particularly when the mandatory for certain shipnational safety management only “ p roduct ” that we offer sizes the International Safety(ISM) systems code. is ourselves. Management Code which con-The Registry team provides tained many of the elementsa “ u ser friendly ” and speedy Mandatory of ISO 9001:1994.process throughout the reg- In the late 80s and early 90s, As a government departmentistration procedure and are international shipping suf- with the responsibility toavailable 24/7 enabling clients fered a number of maritime approve and audit ships andto register their vessels at any disasters that cost many lives companies for compliance withtime from anywhere in the and investigations revealed the ISM Code, it was decidedworld. major errors on the part of that we needed to invest inIn a highly competitive global ship management. The Interna- our own quality managementmarketplace, customer focus tional Maritime Organization system.and quality of service is para- (IMO) developed and made ISO Management Systems – January-February 2009  25
  • 26. © ISO Management Systems, INTERNATIONALSo although we had been ity can still be heard in some system specific to our business a high quality service dedicatedan ISO 9001:1994 registered service industry sectors today objectives and in line with our to the principles of qualityorganization since 1996, certi- and I believe this impres- existing scope of certification assurance, in order to promotefied through Lloyd’s Register sion was a leading reason for which states  : both the expansion andQuality Assurance (LRQA), the relatively slow uptake diversification of the shippingit was the introduction of the of the 2000 standard within The provision of a shipping sector and the creation ofgeneric ISO 9001: 2 000 stand- many public sector and service register and marine adminis- employment opportunities byard that provided the empha- organizations. tration including the registry, registering quality ships andsis on the two key features survey and inspection of ships, facilitating the establishmentof customer satisfaction and issue of seafarer’s certification of marine enterprises in the and developing merchantcustomer focus which, together The eight quality principals island. shipping legislation.with the change of approach are obvious steps for anyfrom individual elements to It as also agreed that we would business to pursue Working with LRQA, the tran-a “process-based ” approach, achieve this via three steps : sition took about 24 months 1. maintain and develop a first-class ship registry ; SANS 16001 is seen 2. continuously seek improve- as improving confidence ments in our performance ; in South African goods 3. encourage new shipping and services business. We received our final assess- ment and certification in late 2003 coinciding with our “  ew  n ” management system having just been used to help develop the procedures and processes required to meet forthcoming International Ship and Port Security Code requirements. Greater focus The benefits of having a great- er focus, clear objectives and improved communication haveThe Ship Registry’s clients include 57 yachts – including “super yachts” like the one pictured here – under construc- kept the Isle of Man Shiption that are due for delivery under the Isle of Man flag in the next 2-3 years. Registry highly placed on the Paris and Tokyo Memorandumopened up the opportunity Fortunately, recent surveys during which time our qual- of Understanding on “  hite Wto develop a quality manage- indicate a positive swing with ity manual was completely Lists ” for port state control.ment system that could be fully an increasing number of pub- revised, internal auditors re- This is the industry perform-integrated into our normal lic and service organizations trained and staff made aware ance standard, and has contrib-business operations. adopting quality standards of the change of focus. After uted to us being placed No. 1 and tools. several discussions our policy on the Flag State PerformanceThe lament about the per- table issued by a round table – or mission – statement wasceived bias of the old ISO It was recognised quite early of shipping associations. agreed as the following  :9001:1994 standard towards by the Ship Registry that,the manufacturing industry with the 2000 standard, we It is the policy of the Isle of Many of the companies weand engineered product qual- could create a management Man Ship Registry to provide visit are also certified to ISO26  ISO Management Systems – January-February 2009
  • 27. © ISO Management Systems, INTERNATIONAL9001:2000 so a common bondexists that helps towards a goodworking relationship. Our ISO9001: 2000 certification, whichwe actively promote, sendsout the signal that we are seri-ous about quality and that isan important message to theshipping world. The competi-tive advantage of being one ofonly a few registries holdingISO 9001: 2000 certification isa major consideration in ourmarketing.By far the greatest impact ofour ISO 9001: 2001 involve-ment has been in our combinedapproach to customer needs,analysis of data and the impetusof continual improvement. TheISO 9004:2000 guidelines forperformance improvementsis a useful guide that is oftenoverlooked, but which actually The Ship Registry currently services a fleet of over 440 ships, such as these tankers.offers many helpful ways togrow beyond customer expec- All our customer-facing staff which is what we are here for. and its eight core quality prin-tations. have attended “voice of the Improvements don’t have to cipals are clearly obvious steps customer” (VOC) training be sweeping changes, major for any business to pursue courses to improve the inter- re-structuring or new systems. whether they are seeking cer- A successful system actions between clients and Even a small change to our tification or not. cannot remain static the Ship Registry. Subse- internal processes that makes life easier and improves our The standard provides the quently, we now have a far ability to do a job better is to platform and basic structure on better understanding of what be encouraged. which to build a managementAlthough we had been collect- is important to our customers system which is unique to youring a vast amount of data it was and are able to use quality This open approach to encour- business needs. Bear in mindnot really being analysed into function deployment tools to age and involve everyone gen- though that, almost by defini-any useful information. So two decide best options. Staff com- erates a constant stream of tion, a successful system is oneyears ago, we created several mitment and support comes improvement opportunities. that cannot remain static, butkey performance indicators so from ensuring that everyone is The combination of custom- rather is one that continuallyvital areas of interest could be kept informed and involved. er focus and willingness to evolves to the changes that aremonitored on a monthly basis Para 8.5.1. Continual Improve- embrace change by the whole generated from within its verygiving an early warning to the ment, in our quality manual team, backed up by a system own processes. If your manage-management team if anything states : that sets achievable objectives ment system isn’t generatingwas slipping to plan and provid- and monitors internal and improvement opportunitiesing the opportunity for preven- The reason for having external performances is what – it’s not working ! •tive measures to be taken if ISO 9001:2000 is to give us really works and helps set usrequired. This data now also a structured approach to apart from our competitors.provides a year-by-year record doing what we do. It alsomaking future planning much introduces a need for continu- ISO 9001:2000 works becauseless of a guessing game. ally improving our business, of its common sense approach ISO Management Systems – January-February 2009  27
  • 28. © ISO Management Systems, INTERNATIONAL ISO 22000 helps India’s Akshaya Patra Foundation feed a million needy children daily India’s celebrated Akshaya Patra Foundation feeds wholesome school meals to over 966 000 children daily through an ambitious ISO 22000: 2005-certified programme, and, in so doing, encourages the young and by Aparna Achar and Chanchalapathi Dasa needy to attend school rather than risk becoming child labourers. Aparna Achar is Associate Editor Chanchalapathi Dasa is Vice of Log India, a specialized trade Chairman of the Akshaya Patra Cut vegetables are stored overnight in one of Akshaya Patra’s journal on business logistics and Foundation, and has spear-headed ISO 22000:2005-certified cold storage rooms. outsourcing, and contributes to the implementation of its majorIndian and international economics, food programme across India since Education thrives on a full stomach: many Indian children are encouragedbusiness, and communications pub- inception in 2000. to go to school by the promise of a square meal each day, thanks to the lications and to Indian national Akshaya Patra food programme. newspapers. She also reports on Web the activities of the Akshaya Patra Foundation. Harshia Banu is a seventh grade student from the govern- E-mail ment-run Urdu Higher Primary School in Bangalore, India. When she says, “I often fainted from hunger, but now, with the food I get in school, I feel I have a new life”, one realizes the importance of access to good quality food.28  ISO Management Systems – January-February 2009
  • 29. © ISO Management Systems, INTERNATIONAL Food safety standards One way of minimizing health hazards is to adhere strictly to international food safety standards, as exemplified by the Akshaya Patra Foundation in India. The organization, which feeds wholesome school meals to over 966 000 children daily, recently achieved certifi- cation to ISO 22000:2005, Food safety management systems – Requirements for any organi- zation in the food chain.Akshaya Patra cooks prepare ricein bulk as a staple for meals serveddaily to nearly one million needychildren in 5 700 schools in India. Indian children enjoy the benefits of healthy, nutritious school meals served free from the kitchens of the Akshaya Patra Foundation.“We are what we eat”Our physical and mental healthare greatly influenced by thefood we eat. Obviously, thatfood should be free of con-taminants, toxins and any sub-stances that could cause chronichealth problems. But how manyof us can claim that our food isabsolutely safe, unadulteratedand nutritious? Akshaya Patra’s ISO 22000 certification is believedto be the first achieved by an NGO of diarrhea in the world are projected growth taking place Certification to the internationalFood-borne diseases pose a directly caused by biological in developing countries. But food safety management systemserious challenge to life and or chemical contamination rapid urbanization and lack (FSMS) standard was achievedeconomy in many developing of foods. of resources to deal with food by Akshaya Patra’s automatedcountries. The World Health A United Nations study esti- and environmental issues in kitchen facilities in Ahmedabad,Organization estimates that mated that world population these countries can lead to North and South Bangalore,almost 70 % of the approxi- would reach 7.6 billion by food safety risks. Hubli-Dharwad, Jaipur andmate 1.5 billion annual cases 2020, with nearly 98 % of the Vrindavan. It is believed to be ISO Management Systems – January-February 2009  29
  • 30. © ISO Management Systems, INTERNATIONALthe first FSMS certification evera food programme managed bya non-governmental organiza-tion (NGO).For thousands of deprived chil-dren like Harshia Banu, ISO22000:2005 implementationmeans consistently safe, nutri-tious food that nourishes theirphysical and mental growthday after day. The meals thatAkshaya Patra serves thesechildren is often their onlysource of sustenance. Now theyare delivered with the addedFSMS-certified assurance of A customized van is loaded with stainless steelsafety and high quality, certified food containers ready for distribution to local schools,by international certification as part of the Akshaya Patra Foundation’s daily school meal delivery to six regions across India.body, Det Norske Veritas AS.About Akshaya Patra dren and by doing so, motivate Since then Akshaya Patra – cific fresh food is delivered them to attend school so that Sanskrit for “abundant and to 5 700 schools, 220 days perThe Akshaya Patra Foundation they do not end up as child inexhaustible” – has become year, from 16 kitchens locatedwas set up in 2000 as a strategic labourers. Its stated vision is one of the most effective food in Andhra and Uttar Pradesh,food programme with two key that no child in India shall be programmes in India, facilitat- Gujarat, Karnataka, Orissa andobjectives: to offer unlimited, deprived of education because ing formal education for nearly Rajasthan.wholesome and free school of hunger. one million needy children The Foundation is a not-for-lunches to underprivileged chil- daily. Abundant, region-spe- profit NGO, equitable and secular in its approach. It is run as an independent, reg- istered charitable trust with headquarters in Bangalore, branch offices across the coun- try, and international offices in the United Kingdom and the United States. Sustainability is achieved through subsidies from the central and state governments of India, corporate and philan- thropic institutional support, and individual donations. Workers involved in food prepara- tion at Akskaya Patra Foundation kitchens observe strict hygiene procedures in meeting the food safety management requirements of ISO 22000:2005.30  IMS – January-February 2009
  • 31. © ISO Management Systems, INTERNATIONALFo o d i s p r o v i d e d o n l y t o for 100 000 children can be Tributes India. Your use of efficient andgovernment-run schools that cooked in less than five hours innovative business practicesalready have a secular student in one of the automated kitch- Akshaya Patra has received to scale up in just a few yearsadmission policy so that the ens. Efficient logistics then many awards in India, and from feeding 1 500 school chil-benefits of the programme are guarantee timely distribution the Harvard Business School dren daily to almost a millionoffered to all children regard- of food to schools. wrote a case study on the is a powerful demonstration ofless of sect or religion. Food Foundation’s use of precise what’s possible when people Modern technology is just oneis supplemented with oral time management, now incor- work together.” example of the many waysmicronutrients and coupled porated into its management in which the Akshaya Patrawith educational incentives courses. About ISO 22000:2005 Foundation has endeavouredto boost child development US President-elect Barack to adopt the best practices of ISO 22000:2005 is an Interna-holistically. Obama, in a recent letter to the corporate world. To ensure tional Standard that specifiesThe innovative project infra- transparency and accountabil- the Foundation, said: requirements for a food safetystructure is technology-driven, ity, it has engaged audit, tax “I want to congratulate you management system whereprocess-oriented and easily and advisory services provider and the people of Akshaya an organization in the foodscaled up. For example, a KPMG to audit the programme P a t r a Fo u n d a t i on f or t h e chain needs to demonstrate itsthree-item localized menu for funds utilization. incredible progress you’ve ability to control food safety made in feeding the children of hazards in order to ensure that food is safe at the time of human consumption. Chappatti dough for Indian bread is Since it emphasizes the proc- cut, roasted and collected in con- ess and not just the end-point tainers in Akshaya Patra’s Jaipur safety measures, the FSMS kitchen, one of 16 ISO 22000:2005- standard requires sustained certified kitchens in the Foundation’s quality throughout the chain – extensive school food programme. from procurement of raw mate- rials until the food is served to Sambar lentil and vegetable soup children. is cooked in stainless steel cauldrons By conforming to ISO 22000: on level two of Akshaya Patra’s 2005, the Akshaya Patra Foun- gravity flow kitchen in Hubli, dation has underlined its com- Karnataka, India. mitment to the highest quality in food safety, management and delivery. FSMS benefits It is said that the poor will consume almost anything to ease their hunger. Survival may depend on a minimum quantity of food regardless of quality. However, consumption of food which does not meet minimum safety standards can also jeopardize survival. Akshaya Patra is aware that food served to underprivileged children should be safe and of ISO Management Systems – January-February 2009  31
  • 32. © ISO Management Systems, INTERNATIONALgood quality, which is why, from ous, sustained and quality-its inception, the Foundation conscious movement facili-has implemented mechanized tating the education of needycooking and delivery processes children for better health,with the least possible human employability and living.intervention. • Best practiceISO 22000:2005 certificationreinforces our programme The food programme now incor-objectives, one of which is to porates global best practicestreat the target audience with through ISO 22000:2005 imple-dignity and compassion. Imple- mention and conformity.mentation of the FSMS stand-ard has also brought numerous • Enhanced image Vats of yogurt, an important accompaniment to the nutritious school mealsbenefits, including : FSMS certification of an NGO- prepared by the Akshaya Patra Foundation, await delivery. managed food programme• Renewed commitment enhances India’s image and tions to do likewise and pass • Raising standardsCertification has renewed our reputation internationally. on the benefits to users. FSMS implementation hascommitment to quality andsafety for deprived children. • Motivating others • Global precedent raised quality at all levels. This in turn has motivated Since the Akshaya Patra pro- We have established a global• Reassuring stakeholders staff, donors, suppliers and all gramme is easy to replicate, precedent as the first NGO-runStakeholders are reassured stakeholders to offer the best certification will encourage food programme to achievethat Akshaya Patra is a seri- possible service. similar food project organiza- ISO 22000:2005 certification. • Reducing cost ISO 22000:2005 implemen- tation has not only led to improved food quality and safety, but also to reductions in cost of production and in waste. • Extending resources The resources thus saved can be focused on bringing more underprivileged children into the programme. For the future, we plan fur- ther extensions to the pro- gramme which are expected to bring long-term economic and social benefits to India in reduced child malnutrition, better health, less disease and greater productivity. •32  ISO Management Systems – January-February 2009
  • 33. © ISO Management Systems, INTERNATIONAL Case studies show value of ISO/IEC 27001 conformity These testimonials show how three diverse organizations have benefited from implementation and certification of ISO/IEC 27001 information security management systems – a gas processing group in Abu Dhabi, a Norwegian state-owned gaming organization, and India’s largest public sector energy infrastructure company. by Edward Humphreys Visiting Professor Edward Organizations Humphreys (FH University of today are required Applied Science, Hagenberg, Upper to conform or comply Austria), is Convenor of ISO/IEC JTC with many different laws and 1, Information technology, subcom- regulations, industry normsmittee SC 27, IT security techniques, and practices, internal audit- mation security management governments, academic and working group WG 1, Information ing standards and matters of system standards (ISMS) and charitable institutions (see security management systems. corporate governance. the International Standard Figure 1, overleaf). for achieving compliance with E-mail ISO/IEC 27001:2005, Infor- such requirements. This is The International Standard mation technology – Secu- because the standard is flexible is ideally suited to meet the rity techniques – Information enough to meet the needs of needs of information security security management systems small, medium-sized and large governance — a key aspect – Requirements, has become organizations with applica- of corporate governance that the benchmark for most infor- bility to all business sectors, protects an organization’s ISO Management Systems – January-February 2009  33
  • 34. © ISO Management Systems, INTERNATIONAL ISO/IEC 27001 (information securityinformation assets (see Fig- governance)ure 2). Laws Information Risk security risk managementThe following are three of managementmany case studies of organi- Governance Contractual regulations obligationszations that have certified to ImplementingISO/IEC 27001. (See also arti- Governance Implementing a system (corporate) a system ofcle “ Some 4  500 organizations Audit and controls of security Business controlsimplement ISO/IEC 27001 for policy, certification strategy and requirementsinformation security”, ISO and objectives ISMS auditsManagement Systems, July- standards Audit (internal andAugust 2008). ISO/IEC 27001 and compliance external) Figure 1 – ISO/IEC 27001: a flexible benchmark for Figure 2 – ISO/IEC 27001: ideally suited to meet information management. information security governance needs. 1 GASCO – During the summer of 2008, the IT Division of Abu Dhabi is implementing a range of management system standards, External attacks Abu Dhabi Gas Industries Ltd (GASCO) became the first oil and gas certification was the ideal way forward. Over time, we noticed exter- nal attacks on the network, Gas Industries company division in United Arab Emirates to be certi- internal user errors and a lack of awareness of information Ltd. fied in accordance with ISO/ IEC 27001. GASCO headquarters in Abu Dhabi. security among employees. The company responded by build- ing a qualified information ISO/IEC 27001 : The certification was achieved Web with senior management sup- “  he ideal way T port, under the leadership of forward ” General Manager Mr. Moham- med Sahoo Al Suwaidi, cover- ing implementation of state- of-the-art information security tools. by Adel Salem Alkaff At GASCO, we search for best practices to maintain market Adel Salem Alkaff is IT Division leadership, as part of our policy Manager, GASCO of continual improvement. The increasing need for informa- tion exchange and IT, particu- larly in a climate of threats and vulnerabilities in the sector, underlined the importance of information security manage- ment. Since ISO/IEC 27001 is the only globally recognized ISMS standard, and as GASCO34  ISO Management Systems – January-February 2009
  • 35. © ISO Management Systems, INTERNATIONAL security team to implement incident management, user 2 About GASCO awareness campaigns, and sup- port best practice standards, such as ISO/IEC 27001 and the Norsk Tipping pan-Nordic numbers game. In 1997, Norsk Tipping became the ASAbu Dhabi Gas Industries Ltd Information Technology Infra- first organization to be certified(GASCO) processes natural and structure Library (ITIL). according to this standard.associated gas from onshoreoil operations in the Emirate of Even though implementing and Since 1995, the WLA SecurityAbu Dhabi. The company was maintaining an ISMS requires “ Don’t gamble with Control Standard has beenincorporated in 1978 as a joint considerable dedication, the information security ” continuously revised by theventure between Abu Dhabi system has full management WLA Security and Risk Man-National Oil Company (ADNOC) support at GASCO, and we agement Committee. However,(68 % shareholding), Shell and plan further extensions to the ISO/IEC 27001 has now beenTotal (15 % each) and Partex scope of the certification. added to the the general infor-(2 %). mation security controls of the Enhanced awareness WLA standard.GASCO was established fol-lowing the directive of His Implementing ISO/IEC 27001Highness the late Sheikh has led to enhanced informa-Zayed bin Sultan Al Nahyan, tion security awareness amongPresident of the United Arab employees, improved securityEmirates and Ruler of Abu operation efficiency, and hasDhabi, to utilise Abu Dhabi’s helped increase understand-significant gas resources which ing of the need for continual by Hilde Gruntare converted into a wide improvement.range of domestic products Hilde Grunt is Security Advisor,exported worldwide. Norsk Tipping ISO/IEC 27001-certified Norsk Tip- ping is Norway’s leading gaming ISO/IEC 27001 is company and member of the World the only globally recognized Lottery Association. ISMS standard State-owned Norsk Tipping, Norway’s leading gaming com- The lottery specific controls pany and member of the World r e l a t i n g t o l ot t ery draw s, Lottery Association (WLA), Our company is now seen instant tickets, handling of was certified according to ISO/ as the leader in information prize money, etc., remained IEC 27001 in 2008, some 11 security within the Abu Dhabi unchanged from the old years after gaining certifica- National Oil Company Group WLA standard. Now, to gain tion to the Intertoto Security (ADNOC). In addition, going WLA certification, the lot- Control Standard (a WLA through the certification proc- tery or gaming company has predecessor). ess helped us establish useful to conform to both ISO/IEC international contacts with The objective of that earlier 27001 and the lottery specific our certification body Lloyd’s certification was to enable requirements. Register Quality Assurance members to achieve a common Ltd. (LRQA), and with lead- security standard, and provide Major change ing ISMS consultancies around an approved security frame- the world. work for those who wished Inclusion of ISO/IEC 27001 to participate in international was a major change. The pre- lotteries. WLA certification is vious WLA-standard was an now a prerequisite for partici- industry standard, and the pating in the Viking Lotto, a WLA Security and Risk Man- ISO Management Systems – January-February 2009  35
  • 36. © ISO Management Systems, INTERNATIONALagement Committee identi- certification is the implemen-fied the controls needed to tation of an ISMS that preventsdeal with lottery risks. Any information security existinglottery or gaming company solely in the ITC and securityseeking certification had to departments, by utilizing exter-comply with all the controls nal reviews as company-widein the standard. Compared to quality assurance.ISO/IEC 27001, the industry’sformer ISMS requirementswere much more simplistic.Preparation for certificationdemanded a new approach and About Norsk Tippinga thorough revision of NorskTipping’s ISMS. Headquarters of ISO/IEC 27001-certified Norsk Tipping in Hamar, Norway. Norsk Tipping, Norway’sAxel Krogvig, President and Web leading gaming company, isCEO of Norsk Tipping, says wholly owned by the Norwe-that ISO/IEC 27001 certifica- remain focused on the objec- associated controls and docu- gian State. Profits are dividedtion represents a good quality tives and implement an ISMS mentation. The fact that it is equally between the nation’sassurance when the objective that helps the processes to run an open standard also allows sports and culture to implement a management smoothly and efficiently,” says comparison with other certi- Norsk Tipping is a member ofsystem to ensure that the com- Mr. Krogvig. fied companies, regardless of the World Lottery Associationpany’s information security type of business. (WLA), a global professionalrisk is maintained at a defined association of state lottery and Benefits Middle management cite “peri- gaming organizations from 76and acceptable level. odic audits performed by an countries and five continents According to Senior Vice Pres- accredited body” as a principal aimed at advancing the ident ICT, Trond Karlsen, ISO/ benefit of ISO/IEC 27001 cer- interests of state-authorizedAnnual safeguard IEC 27001 certification has tification. The discipline of a lotteries. given Norsk Tipping a commonISO/IEC 27001 certification third party check on whether information security language,is an indicator that we are on we do as we say reminds us Hilde Grunt is responsible for and this has created a newthe right track, and the annual not to postpone or forget tasks ISMS audits, security aware- security awareness throughoutaudit is a safeguard to keep us critical to the core business ness and training. She is also the organization. Privacy Ombudsman in accor-focused throughout the year. processes amid the distractionsMr. Krogvig emphasizes the Different departments, such of the daily routine. dance with the Personal Data as ITC, sales and security, now Act. She has been active inimportance of maintaining the revisions and developmentcertification as the means have a common understanding ISO/IEC 27001 certification of the WLA Security Controlof achieving the company’s of risk management and refer Standards.objectives, and not that certi- to the same framework of con- represents a good qualityfication becomes an objective trols. However, the standard assurance Web www.norsk-tipping.noin itself. can be a challenge to imple- ment since it is necessary to“There is always a danger that coordinate ISO/IEC 27001 Another significant benefitimplementing a standard will requirements with numerous mentioned by middle man- Without doubt, ISO/IEC 27001cause unnecessary bureauc- other management system agers is the ISO/IEC 27001 implementation has enabledracy and not bring substantial requirements confronting the requirement for management us to integrate informationbenefit to the organization. company. to ensure that security is incor- security management intoMore than giving value, the porated in the general manage- managing Norsk Tipping instandard can lead a life of its Among other benefits, Mr. ment processes. a way that ensures our busi-own, justifying any measures Karlsen says the standard pro- ness objectives can be met atneeded to keep the certificate vides a structured approached In summary, we believe the a defined and agreed level ofhanging on the wall. One must to ISMS development and key benefit of ISO/IEC 27001 information security risk.36  ISO Management Systems – January-February 2009
  • 37. © ISO Management Systems, INTERNATIONAL 3 Since this information is the lifeline of BHEL’s entire busi- ness operations, its availability, About BHEL confidentiality and integrity Bharat Heavy Information Technology of the Ministry of Communication are critical for the survival of Electricals and Information Technology at the company. M/S Bharat Heavy Electricals the Government of India. Limited (BHEL) is the largest Limited STQC has received international recognition of its ISMS certifica- Threats and vulnerabilities engineering and manufactu- ring enterprise in India in the energy-related/infrastructure tion scheme following accredi- Extranet connectivity pro- sector with a network of 14 “A role model for tation by the Dutch Council vides communication out- manufacturing divisions, four information security for Accreditation (Raad voor side the organization and power sector regional centres, management in India” Accreditatie – RvA), and is the vice-versa, enabling BHEL to over 100 project sites, eight first Indian accredited certifica- talk with suppliers, partners, service centres and 18 regio- tion body in the country, and vendors and customers, and nal. outside the United Kingdom and importantly, connecting back Netherlands, to have done so. into legacy systems where The company manufactures critical corporate informa- over 180 products under 30 BHEL generates, transmits major product groups and tion lies. and maintains a huge amount caters to the core power gene- of design, engineering and Information security had ration and transmission, indus- manufacturing data both in always been important, but it try, transportation, telecommu- electronic form and on paper. was not given a particularly nication and renewable energy With the entrenchment of IT in high priority because there had sectors of the Indian economy. core business processes, more been no serious security inci- by Arvind Kumar and more of that data is now dents. However, threats and stored on electronic media vulnerabilities have increased Author Arvind Kumar is Director, during the entire information with extranet connectivity.Standardization, Testing and Quality lifecycle. BHEL top management Certification Directorate, became aware of the need to Department of Information enhance information security, Technology, Government of India. and the challenge of imple- menting an ISMS was assigned E-mail to its IT fraternity. Corporate information technology was the driver for corporation- wide implementation.Bharat Heavy Electricals Lim- The information technologyited (BHEL), India’s largest network at BHEL consists ofenergy infrastructure engineer- strong IT groups at all majoring and manufacturing enter- locations. These groups over-prise, is the first Indian public see the local IT infrastructuresector organization to have and work to meet all the ITachieved the distinction of ISO/ needs of their parent units. TheIEC 27001 certification. corporate group looks afterThe organization was audited corporate office IT require-and certified by the Stand- ments and also provides direc- Headquarters of ISO/IEC 27001-certified Bharat Heavy Electricals Limited inardization, Testing and Quality tion to the company’s entire New Delhi, India.Certification (STQC) Directo- IT infrastructure.rate, part of the Department of Web ISO Management Systems – January-February 2009  37
  • 38. © ISO Management Systems, INTERNATIONALInternal capability building for corporate certification, With that aim, specialized modifications to the ISMS and that the whole company training of key personnel was documentation became theSince BHEL aspired to a could not be covered as a provided at all locations identi- responsibility of the unit levelfairly high level of maturity single entity. fied for ISMS implementation security forums.for information security, the covering network and systemcompany considered the merits Since most of the information security, security processesof employing the services of is generated by the manufac- and management, and security Role modelan external partner to guide turing units and power sector through the initial phase of regions, it was in those areas As a result of these planningISMS implementation. that we decided to implement and implementation processes, the ISMS first. Fourteen major Security forum BHEL became the first IndianBHEL selected the IT services locations were identified and public sector company to imple-of STQC, since we were well divided into two phases of BHEL decided to organize a ment and certify an ISMS inknown for providing profes- seven each. The best practices Corporate Information System conformity to ISO/IEC 27001,sional training and services of each unit were identified, Security Forum with its Cor- covering 13 units and the cor-in information security. STQC and an information security porate Information System porate IT department.was required to train BHEL policy was formulated and Security Officer (CISSO) aspersonnel in the different chairman. An Information Sys- Information security is now issued at corporate level.aspects of information secu- tem Security Officer (ISSO) a part of every key businessrity — network and system was identified for each loca- process. Management confi-security, and ISMS — and Successful implementation tion. All ISSOs are members dence in, and expectations of,also to help in building up the of the Corporate Information the IT groups has increased From STQC guidance and many times. This has not onlycapability needed to imple- Security Forum. The CISSO’s internal meetings, the follow- improved the risk manage-ment an ISMS. role is to maintain and review ing requirements for successful ment and contingency plan- information security policyThe management decided that, ISMS implementation were ning associated with informa- and provide guidance for itsalthough those external serv- developed: tion resources, but has also implementation.ices were required at the outset, enhanced customer and stake- • Gaining top managementthe company should build its While the company needed holder confidence. involvement at the units byown internal capabilities for the common documentation, dif- setting up a structured network From our point of view asentire ISMS implementation ferences in local practice were of committees and sub-com- the certification body it was aprocess. They felt that internal accommodated in customized mittees. This was necessary challenge to certify one of theresources should be developed versions to meet local needs. to achieve full awareness of premium public sector organi-because information security Hence, BHEL decided to have requirements and resources. zations in the country, with suchimplementation is not a once- five levels of documentation. Clearly, no organization-wide a diverse range of productsonly event, but a continuous The top level document, set- initiative can succeed without catering to the core sectors ofprocess. Requirements change ting out the ISMS policy, was the involvement of senior the Indian economy.along with changes in technol- finalized jointly with unit IT managers.ogy and business needs. This heads, approved by the Chair- Since ISO/IEC 27001 certifi-internal capability building • Developing employee aware- man and Managing Director cation there has been a sub-proved to be a major boost to ness of their role in information and issued as the corporate stantial improvement in theits ISMS implementation. security through education. information system security security management approach “  ase-of-use  versus “  ecu- E ” s policy. This was applicable to at BHEL. The company has rity” is an ongoing security the entire organization without become a role model for otherStarting point issue for many organizations. modification. public sector organizations It is a balancing act between in India under the nationalBHEL’s operations extend what the user community The other four levels – ISMS e-governance initiative to pro-over the entire country, with wants, and the security policy. Manual, ISMS Policies and tect the critical infrastructurefunction and practice dif- Security is only as strong as Guidelines, ISMS Procedures of the country. •fering from one location to the weakest link, and the full and ISMS Formats – could beanother. As such, it was clear involvement of employees in customized by the locationsthat BHEL could not apply the process is essential. concerned. All reviews and38  ISO Management Systems – January-February 2009
  • 39. © ISO Management Systems, STANDARDS FOR SERVICES European initiatives for sheltered housing and airport security New European service standards will define comprehensive requirements for sheltered housing and airport and aviation security services. The kick- off meetings for these projects took place in October and November 2008 in Vienna, Austria. Sheltered housing for elderly This future standard will spec- ify requirements for provid- ers of services of sheltered housing for the elderly and, according to its initiators, will be applicable irrespective of the legal form of owner- ship and management of the by Holger Mühlbauer property and public or private financing of the services. The Dr. Holger Mühlbauer has scope of the project covers specialized in service standardiza- one segment of a wider area tion since 1996 and is involved in of services for the elderly. a number of ISO and CEN projects “ S heltered housing” for therelated to services. He is Secretary likely stick to the term “ s hel- of a sheltered housing facility elderly has seen an enormous or project editor of several service tered housing ” . have to meet, and there is no increase in European coun-related ISO committees. He is now special institution that ensures tries such as Austria, Germany Today’s market offers a widein charge of service standardization the fulfilment of quality stand- and the United Kingdom in variety of different ON Austrian Standards Institute. the 1990s and has become an Sheltered housing is not a ards applicable to sheltered Dr. Mühlbauer’s professional important new form of living term that is clearly defined housing for the elderly. This background is in law. for elderly people. There are by law. However, in many situation has led to the devel-E-mail other terms such as “ s ervice European countries, there is opment of different regional Web living ” or “ a ttended living ” . no special legislation defining methods of voluntary quality The future standard will most the standards that providers assurance in the past. ISO Management Systems – January-February 2009  39
  • 40. © ISO Management Systems, FOR SERVICESThe future standard intends It will deal with quality cri- an essential role in overall encourages some companiesto provide an instrument for teria for the delivery of civil security related to airports, to cut their prices to thevoluntary quality assurance in aviation security services airlines and aircraft – to apply detriment of the quality ofthe sheltered housing market. related to airports, aircraft common quality standards. their services, despite theThe future standard defines and airlines, requested by fact that quality, especially in public and private clients Given the nature of private civil aviation, is recognized asminimum quality and will or buyers. The standard will security services and its an important and necessaryserve as an orientation for be suitable for the selec- increasing role in security element.the providers with regard to tion, attribution, awarding policies in general, the intro-the services they should make and reviewing of the most duction of standards related The standard will be designedavailable if they want to offer suitable provider of airport, to quality is important to to guide clients in civil avia-sheltered housing. aircraft, airline and airport- increase the professionalism tion through different keyAt the same time the standard related civil aviation security of the services offered and quality criteria to considerintends to make the services services. to increase the much needed when selecting a high qualityoffered for this type of living guarantees for buyers and provider for private securitymore transparent for the con- The stakeholders backing the clients. services in civil aviation.sumers. The future standard proposal felt it would be nec-will not deal with product- It will help to distinguish essary to develop a Europeanrelated requirements. Quality between requirements of standard for private security different sites and private services for airports, airlines The initiators were also of security tasks and to enableAirport and aviation and aircrafts, because civil the opinion that common contracting parties to issuesecurity services aviation is most of all about standards related to quality clear and detailed specifica- people and must therefore for the described privateThis standard will lay down tions of their requirements to comply with the highest pos- security services will avoidrequirements for quality in prospective tenderers, thus sible rules and standards. “companies not willing toorganization, processes, per- generating a higher quality go for the highest quality response. Also this futuresonnel and management of a Today, there are no industry- criteria” being selected on the standard is not intendedsecurity service provider and/ driven standards related to basis of price solely, rather to specify product-relatedor its independent branches the imperative quality that than on a efficient and effec- requirements.and establishments under must be provided by private tive combination of price incommercial law and trade security companies deliv- relation to a provider with regard to ering services to the civil 2011 targetairport, aircraft, airline and aviation industry. Indeed, it Th e e x i s t i n g c o m p e t i t i o nairport-related civil aviation is necessary for the private within the private security The chairs of both the abovesecurity services. security providers – who play s e ct o r p u r s u i ng co n t r a ct s European Committee for Standardization (CEN) projects represent the rele- vant business and thus appro- priate background knowledge and experience. The secretariats are held by ON, Austrian Standards Insti- tute, which is a member both of CEN and ISO. Completion of both the above projects is expected for 2011. •40  ISO Management Systems – January-February 2009
  • 41. NEXT ISSUE ISO INSIDER SPECIAL REPORT STANDARDS FOR SERVICESCarbon footprint The future of to organizations affectedof products management system by the current financial certification turmoil impacting the world Improving theISO is to begin work in Jan- economy ? The Report will quality ofuary 2009 on a new standard What is the future of man- comprise perspectives from tourism inon the carbon footprint of agement system certifica- a selection of certification Trinidad andproducts. A completion date tion, including its relevance bodies around the world. Tobagoof March 2011 is expected. Itis to provide requirements The Trinidad and Toba-for the quantification and go Tourism Certificationcommunication of green- Programme(TTTIC) is play-house gases (GHGs) associ- ing a crucial role in improv-ated with goods and services. ing the quality of productsIt will provide tools to quan- and services offered by thetify the carbon footprint and tourism industry therebyharmonize methodologies ensuring best value forfor communicating the car- money experiences to itsbon footprint information, customers. This programmeas well as provide guidance is based on three nationalfor this communication. standards developed by the Trinidad and Tobago Bureau of Standards (TTBS).Carbon footprintsand everyday life INTERNATIONALSo far, policies on GHG emis- Global IS-BAO business ness Aircraft Operations ” tosion reductions do not much aviation standard raise operating safety andconcern people’s everyday incorporates ISO 9001 efficiency. Incorporating ISOlives and consumption habits. 9001:2000-related concepts has Business aviation is growingTo change this, the concept strengthened the standard and fast. In response, the Inter-of carbon footprinting goods made it a “ m inimum must ” national Business Aviation Quality managementand services is becoming for today’s business aviationmore and more in vogue, Council developed the “ Inter- applied to crops operators. national Standard for Busi-rightly to make people con- One of the latest ISO 9001scious of the GHG emissions spin-offs is ISO 22006,“   idden  in the life cyle of the h ” Quality management sys-products they consume. Sev- tems – Guidelines for theeral emerging approaches to application of ISO 9001 incalculate the carbon footprint crop production. It providesof products exists and the first guidance for individuals,carbon labels emphasize the cooperatives and compa-real necessity of a reliable, nies wishing to apply ISOunique and international 9001 principles to agricul-calculation method. tural practices.